Anticipating Abuse

By Peter Coffee  |  Posted 2002-08-05 Print this article Print

Anticipating Abuse

At the same time, however, the notion of lowering barriers between code and content is rightly greeted with suspicion, or even horror, by enterprise developers whove learned the hard way about intrinsic insecurity due to granting too much trust to third-party executable content.

In a services environment, security becomes indispensable at not just the perimeter but also on every level of an application. Indeed, the perimeter becomes hard to define, since any function may now entail a call to a third-party service on a remote computing resource.

Learning to write applications that anticipate abuse and that guard against unintended behaviors is orders of magnitude more difficult than merely writing applications that correctly handle input that isnt even trying to make trouble (and the latter task still exceeds the grasp of all too many coders).

Microsofts .Net offers new coding constructs for not only stating what resources an application requires but also refusing to accept anything more. Meanwhile, encryption technology vendor RSA Security Inc., of Bedford, Mass., projects its revenues as "very much dependent on the expansion of Web services," said CEO Art Coviello in a conversation with eWEEK this spring, citing the crucial role of authentication in ensuring that a putative service provider is who it claims to be.

Enterprise IT builders will want to explore tools and services for testing of their new applications, calling on providers such as KeyLabs, a unit of Lab Acquisition Corp. KeyLabs announced last month a Web services initiative combining quality, performance and security assessment with conformance and certification testing.

But even before Web services technology takes on the challenge of cross-enterprise interaction, Microsoft is packaging the loosely coupled services model for smaller tasks with low-priced small- and medium-scale versions of its BizTalk Server product. This may prove attractive to organizations that arent yet ready to expose their internal systems to external interactions but want to take advantage of services-based APIs to combine off-the-shelf software modules without the cost and time delays of previous application integration technologies.

"In the education arena, if we go with a single product, obviously theyre not going to have everything that we want," said Judy Brown, emerging technology analyst for the University of Wisconsin System, in Madison, and an eWEEK Corporate Partner. "We would love to be able to pull in some other question generator, an assessment generator, a collaborative discussion tool or conferencing communication tool, or some kind of a grade book. These could be plugged and played through Web services and called out through the right architecture."

This opportunity in controllable environments, replicated across many other application domains, will give Web services takeoff potential long before their security and reliability issues on the public network are fully addressed.

To maximize near- and long-term potentials, development teams should remain focused on the common subset of the core technologies that all Web services frameworks employ, using those frameworks distinctive extensions only by choice—never merely because they are there. (Click here for tips on questions to ask when choosing a Web services platform.)

Technology Editor Peter Coffee can be reached at

Peter Coffee is Director of Platform Research at, where he serves as a liaison with the developer community to define the opportunity and clarify developersÔÇÖ technical requirements on the companyÔÇÖs evolving Apex Platform. Peter previously spent 18 years with eWEEK (formerly PC Week), the national news magazine of enterprise technology practice, where he reviewed software development tools and methods and wrote regular columns on emerging technologies and professional community issues.Before he began writing full-time in 1989, Peter spent eleven years in technical and management positions at Exxon and The Aerospace Corporation, including management of the latter companyÔÇÖs first desktop computing planning team and applied research in applications of artificial intelligence techniques. He holds an engineering degree from MIT and an MBA from Pepperdine University, he has held teaching appointments in computer science, business analytics and information systems management at Pepperdine, UCLA, and Chapman College.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel